Reproducible Build Verification - Requesting Build Documentation

[xrviv]

Hi @piotrnar,

I'm Danny from https://walletscrutiny.com, a project dedicated to verifying the reproducibility of
cryptocurrency wallet software. Our goal is to help users confirm that the binaries they download
match the published source code — ensuring no hidden modifications exist between what's auditable
and what's actually running on their machines.

What We Do

We attempt to build wallet software from source using the exact release tags and compare the
resulting binaries against official releases. When builds match, users gain confidence that the
binary they're running is indeed compiled from the public source code.

Our Findings for Gocoin v1.11.0

We attempted to reproduce the Linux (amd64) release and found that our builds do not match the
official binaries from GitHub releases:
┌────────┬─────────────────┬──────────────────┐
│ Binary │ Official SHA256 │ Our Build SHA256 │
├────────┼─────────────────┼──────────────────┤
│ client │ cd8b24bf... │ 1c06b2ac... │
├────────┼─────────────────┼──────────────────┤
│ wallet │ a79f2359... │ 30672c0c... │
└────────┴─────────────────┴──────────────────┘
Binary sizes also differ:

• Official client: 17.0 MB → Our build: 14.4 MB (~15% smaller)
• Official wallet: 6.9 MB → Our build: 5.9 MB (~15% smaller)

Our Methodology

1. Downloaded official release: gocoin-1.11.0-linux-amd64.tar.gz from GitHub releases
2. Cloned source at tag 1.11.0
3. Built in a containerized environment using golang:1.22-bookworm
4. Compiled with: CGO_ENABLED=0 go build -trimpath -ldflags="-s -w"
5. Compared SHA256 hashes of client and wallet binaries

Questions

To help us reproduce your official builds, could you share:

1. Go version used for the v1.11.0 release?
2. Build flags — do you use any specific ldflags, -trimpath, or other options?
3. CGO — are official builds compiled with CGO_ENABLED=1 (perhaps including the sipasec speedup)?
4. Build environment — OS/toolchain used?

We noticed the README mentions that "binaries are almost never up to date" and encourages
self-compilation. If reproducible builds aren't a priority for the project, that's completely
understandable — we'd simply document that users should compile from source for maximum assurance.

Our Script

Our verification script is open source and available for review. We're happy to adjust our build
process to match yours if you can provide the details.

Thank you for your work on Gocoin! Any guidance would be appreciated.

Best regards,
Danny
WalletScrutiny.com

[piotrnar]

Hello Danny,

1. Go version used for the v1.11.0 release?
   Its the tagged 1.11.0
   It is signed with my private PGP key (git verify-tag 1.11.0)

2. Build flags — do you use any specific ldflags, -trimpath, or other options?
   I don't think so.
   You can do go version -m client to see the all flags that the binary was built with.

3. CGO — are official builds compiled with CGO_ENABLED=1 (perhaps including the sipasec speedup)?
   Yes, because I link it with bitcoin's core libsecp256k lib - although which source that lib was built with, would be a great question :)
   Apart from building the lib, you will have to copy client/speedups/sipasec.go to client/speedups/
   See more here: https://gocoin.pl/gocoin_tweaks.html#libsecp256k1

4. Build environment — OS/toolchain used?
   Not quite sure which machine I used.
   It was either "Debian GNU/Linux 12 (bookworm)" or "Ubuntu 25.10 (Questing Quokka)"
   Go compiler version you can check as above.
   But the toolset used to build secp256k lib - that's another story, can't say now.

[piotrnar]

If you offer a free tool for the solution, I would be happy to use it for building all further releases.
I'm here to answer any further questions you may have.